Configuring SSL for the email engine

Enterprise and standalone certification authorities (CAs) can issue certificates for secure email by using SSL. This topic explains in general terms how to configure the Secure Sockets Layer (SSL) for use with Email Engine. There is no "one size fits all" CA solution. You must consider various factors when using SSL, for example, what CA to use. Configuration differs considerably between using a commercial CA authority like VeriSign and using a certificate server in a non-active directory environment using Microsoft's Certification Authority management console.

As you set up your secure email, remember these tips:

  • SSL is an open standard that Netscape Communications developed to establish and protect web communications and prevent the interception of critical information such as credit card numbers.
  • By default, the Email Engine does not use SSL; you must configure Email Engine for it to use SSL. For more information, see Configuring incoming mailboxes and Configuring outgoing mailboxes.

  • Email Engine does not support Transport Layer Security (TLS). However, Email Engine uses JavaMail, which supports the use of TLS parameters and therefore TLS can be used with Email Engine. For more information, see Does the Remedy ARS Email engine support TLS (Transport Layer Security) on the BMC Community site.

 A digitally signed email message that uses SSL

SSL-encryption.gif

To configure SSL for Email Engine

  1. Set up a local CA or search for a CA to use with your mail server.
     You must decide whether to use a commercial CA (for example, VeriSign) or use a CA created in-house. Most Windows system administrators can set up a CA on a Windows server in just a few minutes. The primary difference between a commercial or in-house CA is that a "cert" (certificate) issued by VeriSign is trusted far and wide, while a cert issued by an in-house CA is not trusted by anyone outside the organization.
  2. In Microsoft Exchange System Manager (used by a Microsoft Exchange system administrator only), return the properties for the IMAP virtual server.
    1. Use the Certificate Wizard to generate a cert request.
       For the detailed procedure, see To generate a Certificate Signing Request (CSR) for a Microsoft Exchange server.
    2. Submit the cert request to the CA.
       The procedures required to submit and receive a cert from a CA vary, depending on the CA. For more information, see To create a CA certificate from a CSR.
    3. Use the Certificate Wizard to install the cert received from the CA.
       For more information, see To add an SSL certificate to a Microsoft Exchange server.
  3. Make sure that email users obtain their own certificate.
    1. Through the CA, generate a personal certificate that users will use for signing and encrypting their email messages. With a local CA, you can retrieve and install the cert by using a browser.
      Selecting a cert to use with your IMAP account
      CA-client-IMAP-acct.gif
    2. In the email client, open the Properties dialog for your IMAP account and select the new cert to use for signing and encrypting email messages.
       Two users who have properly configured the certs on their mail client must then exchange certificates so that their communications can be secured.
    3. Send email messages that are signed, but not encrypted, between the two users.
      A signed email message
      sending-CA-mail.gif

      Outlook Express provides the facility to sign and encrypt messages. The email client should automatically notice the signed message and store the certificate so that it can be used to encrypt further messages exchanged between the users.

To generate a Certificate Signing Request (CSR) for a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, expand Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
     The same procedure applies to POP3 and SMTP.
  2. On the Default IMAP4 Virtual Server Properties dialog, open the Access tab, and click Certificate.
  3. On the Web Server Certificate Wizard:
    1. On the first page, click Next.
    2. On the Server Certificate page, select Create a new certificate if you have not yet created an SSL certificate for your web server, and click Next.
       If you already have an SSL certificate for your web server, select Assign an existing certificate, and click Next. A list of the existing SSL certificates installed on your web server appears; select the appropriate certificate and generate a CA from the CSR.
    3. On the Name and Security Settings page, enter a unique name for the certificate, select 1024 as the bit length, and click Next.
       If you plan to install the trial certificate from VeriSign, do not select the Server Gated Cryptography (SGC) certificate check box. For more information about SGC, see your CA documentation on SSL algorithms.
    4. On the Organization Information page, select an Organization and the Organizational unit, and click Next.
    5. On the Your Site's Common Name page, enter the common name for your site.
       You can access the Microsoft Exchange server with this common name. This name will also be used to configure SSL on Outlook Express.
      Do not enter an IP address as the common name, otherwise the CA would create the SSL certificate successfully.
    6. On the Geographical Information page, select the appropriate Country/Region, State/province, and City/locality, and click Next.
    7. On the Certificate Request File Name page, enter the absolute path and file name for the CSR (for example, certreq.txt ), and click Next.
       Make sure that you provide a location that is easy to remember and access.
    8. On the Request File Summary page, verify the information you provided so far, and click Next if the information is accurate.
       Otherwise, click Back to navigate to the appropriate pages and change the necessary values.
    9. On the final page, click Finish to complete the process and close the wizard.

To create a CA certificate from a CSR

  2. Enter the information required to create the trial SSL certificate.
  3. When prompted for the CSR, copy the contents of certreq.txt file in the appropriate text area.
  4. Upon completing the steps, a certificate is generated and sent to the email address that you entered in your information form.

  5. Open a new file in a text editor, and copy the following contents from the email you received from VeriSign:

    *-----Begin Certificate----- <Encoded data> ... ... -----End Certificate-----*

    Ensure that you do not select blank lines or spaces before Begin Certificate and after End Certificate.

  6. Save the file with the .cer extension, for example, web.cer.

To add an SSL certificate to a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, navigate to Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
  2. In Default IMAP4 Virtual Server Properties dialog box, open the Access tab, and click the Certificate.
  3. On the Web Server Certificate Wizard:
    1. On the first page, click Next.
    2. On the Pending Certificate Request page, select Process the pending request and install the certificate, and click Next.
    3. On the Process a Pending Request page, enter the absolute path and file name that you provided when creating the CSR, and click Next.

To enable SSL communication on a Microsoft Exchange server

  1. In Microsoft Exchange System Manager, expand Servers > serverName > Protocols > IMAP4, and select Default IMAP4 Virtual Console.
  2. On the Default IMAP4 Virtual Server Properties dialog, open the Access tab, and click Communication.
  3. In the Security dialog box, select Require secure channel, and click OK.
     If you plan to install the trial certificate from VeriSign, do not select Require 128-bit encryption.

To set up Microsoft Outlook Express and Email Engine

  1. To use IMAPS (IMAP over SSL) for Outlook Express, open a browser and navigate to http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/free-trial/test-root-ca/trialcainstall.html.
     Follow the prompts on the screen and install the test root CA on the computer where you want to configure Outlook Express.
     When prompted to enter the IMAP server address, you must provide the "common name" you entered while creating the CSR. If you provide any other value or an IP address, the "CN does not match with passed value" warning appears.

  2. To configure Email Engine to use SSL, import the test root CA certificate in keystore by using following command:

    <javaHome>\bin\keytool -import -alias "testroot"
    -keystore <javaHome>\lib\security\cacerts
    -file <certFilePath>/testroot.cer

    javaHome is the directory where JRE (not JDK) is installed.
    Find the appropriate keystore path before entering the command. Email Engine uses the location where Oracle Java Runtime Environment (Oracle JRE) is installed as the keystore path.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*